entries for /etc/services (kpop 1109/tcp) and inetd.conf on
the mail server but can't find the kpop binary (or source)
anywhere. We're using kerberos5-1.2.1
The qualcomm popper supports kpop (if you build it against kerb libs).
Cyrus also supports KPOP.
--
Russ Allbery ([EMAIL PROTECTED
slackware 8 with MIT kerberos
1.2.3. Does anyone have an idea ?
I don't believe login.krb5 supports MD5 passwords.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list [EMAIL PROTECTED]
http
.
On Linux, a Kerberos PAM module is usually a better idea.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
as frequently.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
are mostly site-specific; drop me a
line in e-mail and let me know what you're doing and I can probably find a
good solution for you.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list [EMAIL
in
a single homogenous file system.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
(and OpenAFS is superior in most
respects at this point anyway).
If you want an encrypted FS you can use Sun's SEAM (SecNFS) which is
KRB5 based. Or wait for NFSv4
You can get network encryption with AFS. It's just not really anything to
write home about yet, and it's not on by default.
--
Russ
.
I'm not sure what you're comparing here, since neither of those
environments sound anything like AFS. They sound like two different ways
to configure NFS, neither of which scale anywhere like the way that AFS
scales.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
is that Kerberos isn't designed solely to
authenticate a user to a single service, but instead to provide the user
with a set of credentials which can then be used to authenticate to *any*
Kerberos service without requiring further authentication events in the
client?
--
Russ Allbery ([EMAIL
a particular
networking issue? If so, the answer is probably not, or at least it
wouldn't be the most natural way of doing so.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list [EMAIL PROTECTED
easier, even for people inside the US. (The folks at
crypto-publish.org have filed the required paperwork with the US
government to make available cryptographic software in source format, and
MIT has been reluctant to do that for legal reasons.)
--
Russ Allbery ([EMAIL PROTECTED]) http
pacifican [EMAIL PROTECTED] writes:
I am located in the USA, (California) and don't have a clue as to how to
get the download site to believe that I am. Anyone have a suggestion?
Download Kerberos from http://www.crypto-publish.org/. It doesn't have
the country restrictions.
--
Russ Allbery
kcmd: Error getting forwarded creds
klist -f will show what flags are set on your tickets. My guess is that
you haven't obtained a forwardable ticket; in other words, the F flag
won't appear next to the ticket.
To obtain a forwardable ticket, use kinit -f.
--
Russ Allbery ([EMAIL PROTECTED
. Anyway,
we've had intermittant hardware problems with one of our Kerberos servers
that should now be fixed; if you rsystem was configured to look at it
first for some reason, that would be the problem.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
to download Kerberos v5 instead.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
install tcsh
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
confidentiality, but
essentially all Kerberos-enabled applications can negotiate a privacy
layer at the same time. Usually Kerberos is used via an authentication
and confidentiality negotiation protocol such as GSSAPI or SASL which
includes a way of negotiating a privacy layer.
--
Russ Allbery ([EMAIL
forwarding,
etc.) in favor of something that's basically secure NIS. If secure NIS is
something you're happy with, hey, great, but to me it feels like 1980s
security technology, long-since obsolete.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
with MIT tries
ftp/hostname.example.com and then falls back on host/hostname.example.com
if the former doesn't exist.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list [EMAIL PROTECTED]
https
Ken Raeburn [EMAIL PROTECTED] writes:
On Tuesday, Feb 10, 2004, at 21:48 US/Eastern, Russ Allbery wrote:
It depends entirely on what your ftp server and client are using to do
authentication. It looks like the version that comes with MIT tries
ftp/hostname.example.com and then falls back
the stored TGT to obtain a service ticket for the new
web application.
This is exactly the design of Stanford's WebAuth v3. :) See:
http://webauthv3.stanford.edu/
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
wrote many
years ago), but none of them could meet all of our requirements (in
particular, we hope to make extensive use of proxy authentication down the
road).
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos
Christopher Kranz [EMAIL PROTECTED] writes:
Russ Allbery [EMAIL PROTECTED] wrote:
No, you still have to require that the connection between the web
client and the web application server be encrypted. The thing that
you're missing is that doing regular Kerberos involves a computational
step
experience with other
protocols like e-mail, we're just not holding our breath.
Having a protocol in place is one thing. Having a random PC be able to
authenticate to web pages without installing additional software is quite
another.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org
software
installed and configured in order to even consider using browser SSO,
No, they don't.
I think you've missed how WebAuth works. It doesn't require any software
on the client side whatsoever except for a browser that supports SSL and
cookies.
--
Russ Allbery ([EMAIL PROTECTED
, though. With
WebAuth, you basically have to exit the browser when you're done to log
out; nothing else is really safe or sufficient.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list [EMAIL
or TGT in order
to obtain service tickets.
Are you storing state on the login server, maybe? We had a requirement
not to do that because we wanted to easily load-balance the login server.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
see better behavior in this case.
Cool, thanks. I didn't know if this was a known bug. We're hoping to
move to 1.3.2 or 1.3.3, probably shortly after we finally manage to get a
K5 aklog working, so *maybe* this summer, more likely later in the year.
--
Russ Allbery ([EMAIL PROTECTED
was to standardize use of SASL to do
authentication.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
. What are the actual undefined
reference errors?
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
than Microsoft's are pretty
experimental.
See http://modauthkerb.sourceforge.net/; what you're looking for is the
HTTP Negotiate authentication mechanism, which uses SPNEGO and GSSAPI.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
CHANGES lists. are there any hints and
tricks to do to avoid that incompatibility?
Use the latest versions of both OpenSSL and Kerberos and you should be
fine. This was fixed some time ago.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
( \xff\xfb%
), as you see not written by me, that make the request fail. Trying with
a non kerberized client to preform the same process I get a correct
answer by the server.
It looks like telnet is trying to do option negotiation even though the
destination port isn't the telnet port.
--
Russ
is the ansawer??
It depends on what services you're talking about. If you're talking about
klogind, telnetd, or the like, you have to run them through a service like
inetd (xinetd, tcpserver, etc. would all work).
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
context you're discussing these things in.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
is mod_auth_gss_krb5, available
from:
http://modgssapache.sourceforge.net/
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo
services.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
admin_server = krb5-admin.stanford.edu
}
for instance.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
need KTH Kerberos as well or need to hack on the
Makefile a little bit; the next version will have a configure option to
disable Kerberos v4 support.
Also, any hints on how to do K5 error handling in a way that works with
both Heimdal and MIT would be greatly appreciated.
--
Russ Allbery ([EMAIL
this into the next release.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
K4 AFS protocol to do authentication,
which definitely isn't the recommended configuration. If you use K5 for
authentication, as is recommended, the clients need to talk directly to
the KDC.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
this, but alas it's still fairly common to
have to send a Kerberos username/password pair over a TLS connection to be
verified on the server. GSSAPI client support is slow to materialize.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
this in the current krb5 distribution
or any plans to implement something similar?
default_lifetime in the [appdefaults] section, I believe.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list
/krb5/krb/init_ctx.c). It looks like they might not have ever
been really supported?
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo
);
}
That would be default_lifetime in [appdefaults]. Are you sure that you
have the time specification syntax right?
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos
lifetime in krb5.conf.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Ryan Underwood [EMAIL PROTECTED] writes:
On Tue, Jun 28, 2005 at 09:51:47PM -0700, Russ Allbery wrote:
Yup, looks like all that code has been significantly redone in 1.4. I
agree, I don't see anything in 1.3.6 that would let you change the
default ticket lifetime in krb5.conf
Ryan Underwood [EMAIL PROTECTED] writes:
On Tue, Jun 28, 2005 at 09:36:42PM -0700, Russ Allbery wrote:
That would be default_lifetime in [appdefaults]. Are you sure that you
have the time specification syntax right?
Yeah, I just don't have the code you quoted in the 1.3.6 kinit.c
always recreate the stash file. Since the slave KDCs all have a copy of
the stash file, one could also argue that the slave KDCs are backups of
the stash file (and the database).
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
Ryan Underwood [EMAIL PROTECTED] writes:
On Wed, Jun 29, 2005 at 10:04:40AM -0700, Russ Allbery wrote:
All that code to support appdefault configuration in kinit is a local
modification, which is also why default_lifetime was working for us
locally but isn't working for you.
Hmm, so are you
?
No. You really do not want to have two password repositories that you
have to keep in sync. You *can* get LDAP to refer its authentications to
Kerberos, but my understanding is that this is not the fastest thing in
the world to do.
--
Russ Allbery ([EMAIL PROTECTED]) http
] and the cross-realm trust was 2 admins
ago - did they make a mistake, or is this a bug in kerb, or is this
expected behavior?
I would expect your krbtgt ticket to include your realm. Ours always has,
and we haven't set up cross-realm trust.
--
Russ Allbery ([EMAIL PROTECTED]) http
that EAI_NODATA is not listed as a valid return code in
RFC 3493.
This should be fixed in the krb5 source, but in the meantime the
workaround would be to compile with -DEAI_NODATA=EAI_NONAME, which the
code appears to deal with correctly.
--
Russ Allbery ([EMAIL PROTECTED]) http
a NULL
pointer. (There's also another problem with MIT K5 right now where it
doesn't completely initialize an output_token buffer in the GSSAPI layer
in some particular circumstances.)
These are #1988 and #3086 in the MIT Kerberos RT.
--
Russ Allbery ([EMAIL PROTECTED]) http
kinit and kadmin clients:
Assertion failed: (k5int_i-did_run != 0), function
krb5int_initialize_library,
file krb5_libinit.c, line 60.
Abort (core dumped)
This smells like threading issues, but beyond that I'm afraid I can't
really help.
--
Russ Allbery ([EMAIL PROTECTED
as well.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
cache but
instead create the ticket cache with mkstemp or a similar routine.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo
$ kinit
Password for [EMAIL PROTECTED]:
*hangs forever after password is entered*
If you run kinit under strace, what is it doing after you enter your
password? Nothing at all?
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
? It should work basically
like kinit, but it's an independent implementation. That should isolate
whether it's some sort of library problem or possibly a problem in kinit
itself.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
apt-get install valgrind and then run:
valgrind kinit
and it will spew out lots of memory debugging. You can use the --log-file
option to specify a file to which the output should go instead.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
==by 0x406E075: dereference (cc_file.c:1485)
==16877==by 0x406E2EE: krb5_fcc_close (cc_file.c:1503)
==16877==by 0x40701D3: krb5_cc_close (ccfns.c:61)
==16877==by 0x8049E3B: (within /usr/bin/kinit)
==16877==by 0x4100EAF: __libc_start_main (in
/lib/tls/i686/cmov/libc-2.3.5.so)
--
Russ
directory that lists
jay/[EMAIL PROTECTED] as a principal authorized to log on to that account?
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman
Jon DeVree [EMAIL PROTECTED] writes:
On Wed, Dec 14, 2005 at 07:39:56PM -0800, Russ Allbery wrote:
One thing that I did notice was a bunch of SASL calls earlier on. I
think the invalid reads there are probably just the standard ld.so
noise that doesn't appear to mean anything
Jon DeVree [EMAIL PROTECTED] writes:
On Wed, Dec 14, 2005 at 11:02:50PM -0800, Russ Allbery wrote:
Okay, getting closer. What SASL modules do you have installed? In
particular, do you have any GSSAPI SASL modules installed?
Just libsasl2 package because the ldap packages in Debian depend
at:
http://archives.java.sun.com/cgi-bin/wa?A2=ind0212L=java-securityF=S=P=802
in which case try the fix at:
http://archives.java.sun.com/cgi-bin/wa?A2=ind0212L=java-securityD=0P=1130
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
Kerberos?
i tested telnet -F and rlogin -F and both works fine , i want to know how
can i make authentcation done through kerberos for all login?
Generally one uses a Kerberos PAM module.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
that, but it looks like the profile parser is going to be rewritten
and I'm holding off a little on trying to beat those patches into place
until I see if the profile API changes (since we had to change it in order
to do some things properly).
--
Russ Allbery ([EMAIL PROTECTED]) http
Smellyfrog [EMAIL PROTECTED] writes:
[Fri Jan 13 12:57:16 2006] [debug] src/mod_auth_kerb.c(1023): [client
172.24.25.100] Acquiring creds for HTTP/[EMAIL PROTECTED]
This looks wrong. Normally the instance of the HTTP/* principal must be a
fully-qualified hostname.
--
Russ Allbery ([EMAIL
staring at
the Heimdal kinit source for a while. Still, any corrections or further
testing from Heimdal users is much appreciated.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos
, but won't have time for a while.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
that's really the problem.
The verification step is probably a red herring; it will always fail if
the authentication isn't being done as root, since it can't read the
keytab file. I still need to take a closer look at it and see if I can at
least improve the logging.
--
Russ Allbery ([EMAIL
++ programs where you would care.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
run kinit or kadmin from the KDC,
Why? Why don't kinit and kadmin use the same IP address as any other
client when run from the KDC?
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list
for the MIT
implementation. It exports all of the generic GSSAPI functions. It only
has one underlying mechanism, but the MIT code is structured so that you
could add additional ones.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
inside
kadmind so that users could follow standard web documentation for
downloading keytabs without having to use Stanford-specific programs.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list
, right now, is going to be willing to
do. That's changing slowly, but not yet for host/* principals.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https
this you're almost certainly running into:
6320871 kinit fails if default_tkt_enctypes = des-cbc-crc but princ has
des-cbc-md5 and preauth required
No, we're almost certainly not. :) Believe me, none of our principals
have any des-cbc-md5 keys and never will.
--
Russ Allbery ([EMAIL PROTECTED
:00
Last modified: Mon Mar 27 16:57:25 PST 2006 (service/[EMAIL PROTECTED])
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 5, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
--
Russ Allbery ([EMAIL
that are happy.
Ditching single DES in K5 is scheduled for some time after turning off K4,
so it's going to be a bit yet.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
into it with a 0.7 release.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
in the .k5login file
both happen to have the same password, but I don't consider those weird
things to be true security vulnerabilities. Anything that happens with
this module could be done intentionally without it.)
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
the host
keytab to use for verification, and I don't know of any PAM module that is
configurable enough to be pointed at any keytab and use that keytab for
verification. It would be a good thing to add, though.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
, I can modify Debian's libpam-krb5 to use that approach
instead (since it looks like I'm going to end up being the upstream
maintainer of that fork of the code anyway since we need it at Stanford
and I need to add and fix a bunch of bits in it anyway).
--
Russ Allbery ([EMAIL PROTECTED
?
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
the code I found that it is
failing in verify_checksum function.
Read the COMPATIBILITY section of the gssapi(3) man page. Could that be
your problem?
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list
Sebastian Hanigk [EMAIL PROTECTED] writes:
If one runs NIS on the network, I believe there is the possibility of
switching to Kerberos for authentication while still using NIS for the
name services.
Yup, we did this for years before switching to LDAP.
--
Russ Allbery ([EMAIL PROTECTED
,
which comes from e2fsprogs and looks like it attempts to load a
readline-compatible library dynamically at runtime. The one that comes
with MIT Kerberos is older and doesn't look like it includes that support.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
ago but never acted on by MIT. as far as I know.
Aha! So this doesn't work currently with MIT Kerberos but would if your
patch were applied? Am I reading your message correctly?
Is this patch already in RT?
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
it be significantly
simplified.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
:
+.BR addent .
+.TP
.BR list_requests
Displays a listing of available commands. Aliases:
.BR lr ,
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https
creation, and just about
every other remote command execution purpose that you can think of. Note,
though, that we've not yet deployed remctl 2.0 widely, so this version
isn't as heavily tested as previous versions (yet).
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
that the principal didn't exist in the KDC. In
other words, I would suspect either an outdated keytab file or a keytab
file for some realm other than the system's default realm.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle
).
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
.
2. Dump the old database using -new_mkey_file pointing at the new stash.
3. Load the database dump into the new empty database.
and thereby change the database master key. Is that correct? Does this
fail for some reason? Has anyone done this?
--
Russ Allbery ([EMAIL PROTECTED
was that that was not supposed to affect the bits on the
wire. Is my understanding incorrect?
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
version would be more practical and
*transparent* to upgrade to? considering we still have to provide
support krb524. My gut says 1.4.4, so...
At least right now, I'd recommend 1.4.4. I expect that will probably
change in six months or so.
--
Russ Allbery ([EMAIL PROTECTED]) http
it.
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
1 - 100 of 809 matches
Mail list logo